#
# This patch allows for better interop with MS Windows clients accessing Solaris
# SMB services. It fixes a few memory leaks and double frees found during SMB
# stress testing. The CRs in order:
#
# 15580724 SUNBT6868908 Solaris acceptors should have returned KRB5KRB_AP_...
# 20416772 spnego_gss_accept_sec_context issue with incorrect KRB OID
# 16005842 Should retry SMB authentication upgrade to account for network...
# 15579598 SUNBT6867208 Windows client cannot recover from KRB5KRB_AP_ERR_SKEW..
#
# Note: MIT tickets will subsequently be filed, but the solution may differ from
# what we currently offer in Solaris, because they may want the changes as the
# default behavior therefore removing the dependency on the MS_INTEROP
# environment variable.
# Patch source: in-house
#
@@ -454,8 +454,6 @@ kg_accept_krb5(minor_status, context_handle,
const gss_OID_desc *mech_used = NULL;
OM_uint32 major_status = GSS_S_FAILURE;
OM_uint32 tmp_minor_status;
- krb5_error krb_error_data;
- krb5_data scratch;
gss_cred_id_t defcred = GSS_C_NO_CREDENTIAL;
krb5_gss_cred_id_t deleg_cred = NULL;
krb5int_access kaccess;
@@ -1214,6 +1212,8 @@ fail:
major_status == GSS_S_CONTINUE_NEEDED)) {
unsigned int tmsglen;
int toktype;
+ krb5_error krb_error_data;
+ krb5_data scratch;
/*
* The client is expecting a response, so we can send an
@@ -1221,6 +1221,31 @@ fail:
*/
memset(&krb_error_data, 0, sizeof(krb_error_data));
+ /*
+ * We need to remap error conditions for buggy Windows clients if the
+ * MS_INTEROP env var has been set.
+ */
+ if ((code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+ code == KRB5KRB_AP_ERR_NOKEY || code == KRB5KRB_AP_ERR_BADKEYVER)
+ && getenv("MS_INTEROP")) {
+ code = KRB5KRB_AP_ERR_MODIFIED;
+ major_status = GSS_S_CONTINUE_NEEDED;
+ }
+
+ /*
+ * Set e-data to Windows constant (verified by MSFT).
+ *
+ * This facilitates the Windows CIFS client clock skew
+ * recovery feature.
+ */
+ if (code == KRB5KRB_AP_ERR_SKEW && getenv("MS_INTEROP")) {
+ /* Note that free() must not be called on
+ * krb_error_data.e_data.data */
+ krb_error_data.e_data.data = "\x30\x05\xa1\x03\x02\x01\x02";
+ krb_error_data.e_data.length = 7;
+ major_status = GSS_S_CONTINUE_NEEDED;
+ }
+
code -= ERROR_TABLE_BASE_krb5;
if (code < 0 || code > KRB_ERR_MAX)
code = 60 /* KRB_ERR_GENERIC */;
@@ -180,6 +180,13 @@ get_negTokenResp(OM_uint32 *, unsigned char *, unsigned int,
static int
is_kerb_mech(gss_OID oid);
+/* encoded OID octet string for NTLMSSP security mechanism */
+#define GSS_MECH_NTLMSSP_OID_LENGTH 10
+#define GSS_MECH_NTLMSSP_OID "\053\006\001\004\001\202\067\002\002\012"
+static gss_OID_desc ntlmssp_oid = {
+ GSS_MECH_NTLMSSP_OID_LENGTH, GSS_MECH_NTLMSSP_OID
+};
+
/* SPNEGO oid structure */
static const gss_OID_desc spnego_oids[] = {
{SPNEGO_OID_LENGTH, SPNEGO_OID},
@@ -1325,6 +1332,7 @@ acc_ctx_new(OM_uint32 *minor_status,
gss_buffer_desc der_mechTypes;
gss_OID mech_wanted;
spnego_gss_ctx_id_t sc = NULL;
+ unsigned int i;
ret = GSS_S_DEFECTIVE_TOKEN;
der_mechTypes.length = 0;
@@ -1347,6 +1355,26 @@ acc_ctx_new(OM_uint32 *minor_status,
*return_token = NO_TOKEN_SEND;
goto cleanup;
}
+
+ /*
+ * We add KRB5_WRONG here so that old MS clients can negotiate this
+ * mechanism, which allows extensions in Kerberos (clock skew
+ * adjustment, refresh ccache).
+ */
+ for (i = 0; i < supported_mechSet->count; i++) {
+ if (is_kerb_mech(&supported_mechSet->elements[i])) {
+ extern gss_OID_desc * const gss_mech_krb5_wrong;
+ ret = gss_add_oid_set_member(minor_status,
+ gss_mech_krb5_wrong,
+ &supported_mechSet);
+ if (ret != GSS_S_COMPLETE) {
+ *return_token = NO_TOKEN_SEND;
+ goto cleanup;
+ }
+ break;
+ }
+ }
+
/*
* Select the best match between the list of mechs
* that the initiator requested and the list that
@@ -3084,6 +3112,7 @@ get_available_mechs(OM_uint32 *minor_status,
gss_OID_set mechs, goodmechs;
gss_OID_set_desc except_attrs;
gss_OID_desc attr_oids[2];
+ char *msinterop = getenv("MS_INTEROP");
attr_oids[0] = *GSS_C_MA_DEPRECATED;
attr_oids[1] = *GSS_C_MA_NOT_DFLT_MECH;
@@ -3105,6 +3134,15 @@ get_available_mechs(OM_uint32 *minor_status,
return (major_status);
}
+ /*
+ * If the required keytab entries for Kerberized SMB service are
+ * missing due to an SMB authentication upgrade failure, SMB daemon
+ * will set MS_INTEROP environmment variable to 1 to ensure only
+ * NTLMSSP security mech is used for negotiation.
+ */
+ if ((msinterop != NULL) && (!strcmp(msinterop, "1")))
+ goto ntlmssp;
+
for (i = 0; i < mechs->count && major_status == GSS_S_COMPLETE; i++) {
if ((mechs->elements[i].length
@@ -3120,6 +3158,25 @@ get_available_mechs(OM_uint32 *minor_status,
}
}
+ntlmssp:
+ /*
+ * Add NTLMSSP OID to the mech OID set only if MS_INTEROP env var has
+ * been set to:
+ * - "1" (NTLMSSP only) or
+ * - "2" (both Krb5 and NTLMSSP)
+ *
+ * This is a requirement until NTLMSSP is implemented as a GSS-API
+ * plugin.
+ */
+ if ((msinterop != NULL) &&
+ (!strcmp(msinterop, "1") || !strcmp(msinterop, "2"))) {
+ major_status = gss_add_oid_set_member(minor_status,
+ &ntlmssp_oid, rmechs);
+
+ if (major_status == GSS_S_COMPLETE)
+ found++;
+ }
+
/*
* If the caller wanted a list of creds returned,
* trim the list of mechanisms down to only those
@@ -3695,9 +3752,17 @@ negotiate_mech(gss_OID_set supported, gss_OID_set received,
for (i = 0; i < received->count; i++) {
gss_OID mech_oid = &received->elements[i];
+ /*
+ * MIT compares against MS' wrong OID, but we actually want to
+ * select it if the client supports, as this will enable
+ * features on MS clients that allow credential refresh on
+ * rekeying and caching system times from servers.
+ */
+#if 0
/* Accept wrong mechanism OID from MS clients */
if (g_OID_equal(mech_oid, &gss_mech_krb5_wrong_oid))
mech_oid = (gss_OID)&gss_mech_krb5_oid;
+#endif
for (j = 0; j < supported->count; j++) {
if (g_OID_equal(mech_oid, &supported->elements[j])) {